I was just reminded of this randomly just by reading this list of new tools released at the Defcon this year. Sounds like a busy conference, with a lot of hackers who love what they do. Good stuff.

It has become more like a global fair than what most people think of conferences; even the badge is highly unique. I say this because there are so many things to do at DEFCON, other than going to talks, that you could spend your whole weekend looking at the “World’s Largest Boar!” so to speak. One of the CTF (Capture the Flag) contest winners this year actually exclaimed that he only made it to 2 talks in 12 years! I am also one of those individuals who barely get a chance to go to talks and now that the speaker pool is so diverse it’s hard to find all of the “stuff” they release.

Read the list and full article here

I recently spoke with a friend who left the DC region for a position in Silicon Valley. When I asked what he thought of the move he said, “Well, you have the same giant buildings with technology company names on the outside rising out of nowhere. You have the same high quality of engineer, but it seems that the difference is in DC, everyone wears a suit or a tie and looks down upon you if you grab a drink at lunch, or unwind like a younger person would.” 

I thought long and hard about his comment and decided that I would have to find out for myself. Is the DC area high tech community really that stuffy? Do people really not enjoy a good stiff drink after a long day? 

Last night, I attended the Twin Tech party, a sponsored happy hour with the worthy goal of “mixing up our vast, and somewhat fragmented technology culture here in the greater DC region”. I can officially say, the DC tech scene is changing and it’s changing fast.

Let’s start with the venue, instead of holding this event in the suburbs (McCormick & Schmicks anyone?) or at a large hotel bar, they chose to have the event at a trendy up-and-coming part of town in what can be best described as one of DC’s hottest bars, Local 16.  Not only that, because of the overwhelming response to attend, they had to rent out the bar next to it as well. 

I expected that I would arrive and find the place mostly empty and have a few suits there chatting over a drink or 2.  Instead I found myself at the overflow bar with a number of young up and comers in the space.  It was impossible to get into the original venue, and the second venue was packed as well!  Amongst all the people I found a friendly, happy, open vibe that allowed for great conversation, and interesting discussion about new technologies and the ideas people had about using and building the future. 

It was the best of both worlds for a young technologist.  I was able to discuss the topics and issues that were most facilitating and relevant (Social Networking from a corporate perspective, new blogging ideas, how new media is helping old media, etc), while still having a great time, and allowing myself to be properly refreshed for a hot DC summer night.

ShareThis

Collaboration in the Cloud

Forward thinking companies use collaboration technologies to melt away the physical distance between disparate offices, remote workers and suppliers.  Investments in R&D projects to create the next generation of business collaboration technologies and starting to bear early fruits and are worth paying attention to - especially if you get paid to “do security”.  One major focus area is Virtual Worlds.

Teleporting Virgins

The big news in the Second Life research community is that avatars (”virtual people”) have successfully teleported between distinct virtual worlds.  The virgin teleporters went from a Second Life Preview Grid - an experimental grid completely disconnected from the Main Grid - to a virtual world running IBM OpenSIM.

At this stage there is intentionally no asset transfer going on at all - in other words, you can’t take your “stuff” from one world to another - but that will come in time as the Open Grid Protocol is extended.  Today just login and teleport are supported.  No stealing those trade secret “assets” yet ;-).

Linden Labs speaks to this issue:

Q: How will Linden Lab prevent property from being copied into other virtual worlds?
We’re paying extremely close attention to that question. We will be designing this with the Second Life community to ensure their needs are met. We want to stress that when it does become possible to move avatars between worlds, we will take the utmost care to protect the rights of Second Life property owners and creators. Linden Lab will not design a system that lets people openly violate the permissions of SL goods and take them to other worlds. We recognize that intellectual property is the engine that drives Second Life, and we are completely committed to preserving the qualities that make Second Life the unique, innovative and dynamic place that it is today.

With my “hacker-vision” ™ enabled I see *all kinds* of opportunities for mischief here.  I’m betting we’ll see imaginative attacks as the usual cat and mouse game of vulnerability research and vendor response plays out.  “Sorry boss, someone hijacked my avatar and now I’m stuck on this desert island for who knows how long!”.

Threat Profiling Second Life

Getting back to reality, people are already exploring Virtual World security.  Michael Thumann of ERNW in Germany is a pen-tester and security researcher and in this 10 minute video, Michael shares the result of his security research on Second Life.

He covers:

• In-game cheating
• Identity theft
• Attacking 3rd party servers using Linden Scripting Language (think about the liability issues and the providers ability to track abusers)

For those interested in more detail, the full presentation he gave at BlackHat Europe 2008 in Amsterdam is here (pdf).

Of particular note, Michael applied a formal threat model approach to the research - STRIDE from Microsoft.

In a future post I’ll talk more about threat profiling in the context of Cloud Computing vulnerability research and specific API security vulnerability classes we can expect to see exploited.

Only 6% of the those who responded to the poll, conducted from July 3 thru July 12th, voted that CEP was mature.   If you include those who consider CEP getting close to maturity, 18% of our readers who voted said that CEP was in the final stages of maturity.

How is it possible that 31% of the folks who responded believe that CEP is in the Gartner-defined Technology Trigger stage of maturity, while 6% believe CEP is at the other end of spectrum, in the Plateau of Maturity Phase?

During the poll I received a question from a colleague who asked me if I “still loved CEP?” and “why are you trashing the entire industry that you love?”   

Frankly speaking, I have enjoyed a passion about event processing since my early days at Sprint, circa 1993, during the NSFNET transition to the commercial Internet.   Then, as today, we hoped for the same goals and objectives that network and security management people seek to achieve; high confidence in actionable alerts with a very low false alarm rate, all based on processing myriad distributed networking events, sometimes referred to today as sense-and-respond networking.

Today, we are good at “sensing”.  Events are created, perhaps trillions upon trillions a second globally.   No one knows the exact number of events the world’s networks generate in a single second, much less in a day or a year.      Yet, we are quite good at producing events.

What we do know is that we do not yet have the technology to listen to myriad events and determine complex events and situations with high confidence.   At best, we can detect, sense-and-respond, to simple events and primitive situations.  

On the other end of the maturity curve, there have been some advances.  Some of the notable progress has been in the event stream processing (ESP) space.    ESP is an importart part of the equation but it is nowhere close to the entire solution because rule-based stream processing is at a very low level in most sense-and-respond decision-making models.  Higher level inference requires more sophistication.

Two-thirds of our readers believe that CEP is still in the very early stages.  The majority of our readers envision CEP as a technology, or set of technologies, to solve myriad complex event processing problems and they know we have a long way to go.     On the other hand and with just as much passion, about one-in-six readers think that the technology is mature, and we are at the end of the CEP maturity cycle.

My crystal ball is just as foggy as yours on the future of CEP - but here on The Complex Event Processing Blog, we continue to work hard to “keep it real” for our readers.  

Had a great time Sunday with Rob Newby. We solved the world’s problems over deep fried whitefish and french fries (fish & chips to him).  It was a very good time, even if my driving did make him a bit uneasy.  If I may quote myself (said in an attempt to soothe Rob’s uneasyness about being lost in the car of a complete stranger in a strange country):

If your life doesn’t imitate the surreal aspects of a Douglas Adams book at least once a day, you’re just not living right.

Aside:  Bruce Scheier already has too many awards and too much recognition, so go vote for Rob instead :)   :  http://robnewby.blogspot.com/2008/07/award-up-for-grabs.html

SEPARATION OF CHURCH AND (CURRENT) STATE

Rob and I spent some time discussing risk and security,  and our conversation circled around the (now) recurring blogo-topic concerning the State of the Practice.  It’s a favorite topic of mine, so I’ve been delighted that it has reappeared in blogodom.

Rob writes about it some here in PCI the Priest.  LonerVamp’s and Richard Bejtlich’s blogs talk about Galileo, his confrontation with his church, and lessons we can learn from history (there’s nothing wrong with them recycling the meme, IMHO - because I, for one, never got closure the first time). Jon added a nice quote from Feynman today that’s also inline with the meme.

I’m not going to belabor the analogy, the “art vs. science” misnomer, nor discuss the problems with our various canon (PCI, ISO, CoBTI, COSO, blah, blah, blah).  Rather I’d like to talk about some essential things I think our industry needs to “sort out”  before it can move on towards a more scientific view of the world.  And by “sort out” of course, I mean agree with me on

CAN’T WE ALL JUST GET ALONG?

1 - Can we agree that risk is a probability issue?
Now obviously, you can retreat in probability theory a century or so and claim that risk is a Knightian uncertainty and that we just can’t “know” it.  Have fun.  But you should know that there’s the catch - “security” is also a probability issue.  So I’m betting that you can’t know “secure” for much of the same reasons Frank Knight would argue we can’t know “risky”.

But if risk (and security) is a probability issue, however, then we’re going to have to do better than “A’s in three college courses in statistics” to address the problem.  We will have to do as Curphey (and others) suggest and bring elements of other disciplines to bear on our problem space.  Let me suggest probability theory and economics as fine, fine places to start.

2 - Can we agree to stop measuring stupidly?
We have to agree that Ordinal Scales are not measurements, and Interval Scales are not useful measurements?

I had a post titled “More Ways To Confuse Your Auditor/Assessor” but it turned out to be a pretty cruel discussion about how we tend to try to act like our calculations based on ordinal or interval scales are useful (hint:  insist that your auditor/assessor/consultant replace the label “one” with the label “zero”).

Note that if risk is a probability issue, then we’re going to have to throw out the concepts of measuring in any scale other than a ratio anyhow.

3 - Can we agree on a (good) taxonomy?
We’re going to have to do (much) better than ISO 27005 (nudge, nudge).

4 - Can we agree we need to do a better job with our data?
We’re going to have to do better with measurements, metrics, models and testing.

It’s a shame that honeypots tend to be under appreciated.

5 - Can we agree to test that data and share it with each other?
We may not need to share specific data, but we will need to share when a model falls down.

I’d like to be as idealistic as some of my fellow ‘New Schoolers’ and suggest we’ll someday all be sharing data together, but I’m skeptical.  But that doesn’t mean we can’t demonstrate where results from the models we use are not repeatable, consistent or logical.   One thing Rob and I talked about at length yesterday was the ability to disprove a model using realistic but “substitute” or sanitized data.  There’s gonna be a TON of work to be done here, and that work will take not years but careers.  Which begs a great question:

Is it the sharing of data that we need, or the sharing of models?

HELP ME OUT, HERE
That’s my list of 5 fundamental concepts I wish we could move past.  Let me ask you - what else am I missing?  What’s it going to take to get past our current malaise?  How does the New School reach critical mass?  Who is going to help us agree in a centralized manner?

Your comments or own blog posts are most welcome (please include a trackback or post here)